global rule SizeLimit
{
    condition:
        filesize < 30MB
}
rule ChinaChopper_Generic {
	meta:
		description = "China Chopper Webshells - PHP and ASPX"
		author = "Florian Roth"
		reference = "https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf"
		date = "2015/03/10"
	strings:
		$aspx = /%@\sPage\sLanguage=.Jscript.%><%eval\(RequestItem\[.{,100}unsafe/
		$php = /<?php.\@eval\(\$_POST./
	condition:
		1 of them
}
rule WebShell_RemExp_asp_php {
	meta:
		description = "PHP Webshells Github Archive - file RemExp.asp.php.txt"
		author = "Florian Roth"
		hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2"
	strings:
		$s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword
		$s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
		$s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword
		$s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword
		$s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\">  Name</td>" fullword
	condition:
		all of them
}
rule GIFCloaked_Webshell_A {
	meta:
		description = "Looks like a webshell cloaked as GIF"
		author = "Florian Roth"
		hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
		score = 50
	strings:
		$magic = { 47 49 46 38 } /* GIF8 ... */
		$s0 = "input type"
		$s1 = "<%eval request"
		$s2 = "<%eval(Request.Item["
		$s3 = "LANGUAGE='VBScript'"
	condition:
		( $magic at 0 ) and ( 1 of ($s*) )
}
rule evilpic
{
    strings:
        $gif = {47 49 46 38 ?? 61} // GIF8[version]a
        $png = {89 50 4E 47 0D 0a 1a 0a} // \X89png\X0D\X0A\X1A\X0A
        $jpeg = {FF D8 FF E? ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
    condition:
        filesize < 10MB and ($gif at 0 or $png at 0 or $jpeg at 0) and (uint16(0) == 0x3f3c or uint16(0) == 0x4850 or uint16(0) == 0x4b50 or uint16(0) == 0x253c or uint16(0) == 0x4b50 or uint16(0) == 0x696c or uint16(0) == 0x6553 or uint16(0) == 0x7473 or uint16(0) == 0x5A4D) 
}
rule CloudFlareBypass
{
    strings:
        $ = "chk_jschl"
        $ = "jschl_vc"
        $ = "jschl_answer"
    condition:
        2 of them // Better be safe than sorry
}
private rule base64
{
    strings:
        $user_agent = "SFRUUF9VU0VSX0FHRU5UCg"
        $eval = "ZXZhbCg"
        $system = "c3lzdGVt"
        $preg_replace = "cHJlZ19yZXBsYWNl"
        $exec = "ZXhlYyg"
        $base64_decode = "YmFzZTY0X2RlY29kZ"
        $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
        $cmd_exe = "Y21kLmV4ZQ"
        $powershell = "cG93ZXJzaGVsbC5leGU"
    condition:
        2 of them
}
private rule hex
{
    strings:
        $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
        $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
        $exec = "\\x65\\x78\\x65\\x63" nocase
        $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
        $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
        $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
        $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
    condition:
        any of them
}
private rule strrev
{
    strings:
        $globals = "slabolg" nocase fullword
        $preg_replace = "ecalper_gerp" nocase fullword
        $base64_decode = "edoced_46esab" nocase fullword
        $gzinflate = "etalfnizg" nocase fullword
    
    condition:
        any of them
}
private rule Hpack
{
    strings:
		$globals = "474c4f42414c53" nocase
        $eval = "6576616C28" nocase
        $exec = "65786563" nocase
        $system = "73797374656d" nocase
        $preg_replace = "707265675f7265706c616365" nocase
        $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
    
    condition:
        any of them
}
rule SuspiciousEncoding
{
    condition:
        base64 or hex or strrev or Hpack
}
rule DodgyStrings
{
    strings:
        $ = ".bash_history"
        $ = /AddType\s+application\/x-httpd-(php|cgi)/ nocase
        $ = /php_value\s*auto_prepend_file/ nocase
        $ = /SecFilterEngine\s+Off/ nocase  // disable modsec
        $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
        $ = ".mysql_history"
        $ = ".ssh/authorized_keys"
        $ = "/(.*)/e"  // preg_replace code execution
        $ = "/etc/passwd"
        $ = "/etc/proftpd.conf"
        $ = "/etc/resolv.conf"
        $ = "/etc/shadow"
        $ = "/etc/syslog.conf"
        $ = "/proc/cpuinfo" fullword
        $ = "/var/log/lastlog"
        $ = "/windows/system32/"
        $ = "LOAD DATA LOCAL INFILE" nocase
        $ = "WScript.Shell"
        $ = "WinExec"
        $ = "b374k" fullword nocase
        $ = "backdoor" fullword nocase
        $ = /(c99|r57|fx29)shell/
        $ = "cmd.exe" fullword nocase
        $ = "powershell.exe" fullword nocase
        $ = "evilc0ders" fullword nocase
        $ = "exploit" fullword nocase
        $ = "find . -type f" fullword
        $ = "hashcrack" nocase
        $ = "id_rsa" fullword
        $ = "ipconfig" fullword nocase
        $ = "kernel32.dll" fullword nocase
        $ = "kingdefacer" nocase
        $ = "Wireghoul" nocase fullword
        $ = "LD_PRELOAD" fullword
        $ = "libpcprofile"  // CVE-2010-3856 local root
        $ = "locus7s" nocase
        $ = "meterpreter" fullword
        $ = "nc -l" fullword
        $ = "netstat -an" fullword
        $ = "ps -aux" fullword
        $ = "rootkit" fullword nocase
        $ = "slowloris" fullword nocase
        $ = "suhosin.executor.func.blacklist"
        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
		$ = /trojan (payload)?/
        $ = "uname -a" fullword
        $ = "visbot" nocase fullword
        $ = "warez" fullword nocase
        $ = "whoami" fullword
        $ = /(r[e3]v[e3]rs[e3]|w[3e]b)\s*sh[e3]ll/ nocase
        $ = /-perm -0[24]000/ // find setuid files
        $ = /hack(ing|er|ed)/ nocase
        $ = /(safe_mode|open_basedir) bypass/ nocase
        $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/ nocase
        $ = "attributes=ShuXing" nocase
    condition:
        filesize < 10MB and not whitelist and (uint16(0) == 0x3f3c or uint16(0) == 0x4850 or uint16(0) == 0x4b50 or uint16(0) == 0x253c or uint16(0) == 0x4b50 or uint16(0) == 0x696c or uint16(0) == 0x6553 or uint16(0) == 0x7473 or uint16(0) == 0x5A4D) and 2 of them
}
rule Websites_Modified
{
    strings:
        $ = "1337day.com" nocase
        $ = "antichat.ru" nocase
        $ = "b374k" fullword nocase
        $ = "ccteam.ru" nocase
        $ = "crackfor" nocase
        $ = "darkc0de" nocase
        $ = "egyspider.eu" nocase
        $ = "exploit-db.com" nocase
        $ = "hashchecker.com" nocase
        $ = "hashkiller.com" nocase
        $ = "md5crack.com" nocase
        $ = "md5decrypter.com" nocase
        $ = "milw0rm.com" nocase
        $ = "milw00rm.com" nocase
        $ = "packetstormsecurity" nocase
        $ = "pentestmonkey.net" nocase
        $ = "phpjiami.com" nocase
        $ = "rapid7.com" nocase
        $ = "shodan.io" nocase
        $ = "github.com/b374k/b374k" nocase
        $ = "mumaasp.com" nocase
        $ = "5kik" fullword nocase
    condition:
        any of them
}
rule GIF_exploit
{
meta:
	author = "@patrickrolsen"
	maltype = "GIF Exploits"
	version = "0.1"
	reference = "code.google.com/p/caffsec-malware-analysis"
	date = "2013-12-14"
strings:
	$magic = {47 49 46 38 ?? 61} // GIF8<version>a
	$s1 = "; // md5 Login" nocase
	$s2 = "; // md5 Password" nocase
	$s3 = "shell_exec"
	$s4 = "(base64_decode"
	$s5 = "<?php"
	$s6 = "(str_rot13"
	$s7 = ".exe"
	$s8 = ".dll"
	$s9 = "eval($_"
condition:
	($magic at 0) and any of ($s*)
}
rule html_exploit_GIF
{
meta:
	author = "@patrickrolsen"
	maltype = "Web Shells"
	version = "0.1"
	reference = "code.google.com/p/caffsec-malware-analysis"
	date = "2013-12-14"
strings:
	$magic = {47 49 46 38 ?? 61} // GIF8<version>a
	$s1 = {3c 68 74 6d 6c 3e} // <html>
	$s2 = {3c 48 54 4d 4c 3e} // <HTML>
condition:
	($magic at 0) and (any of ($s*))
}
rule web_shell_crews_Modified
{
meta:
	author = "@patrickrolsen"
	maltype = "Web Shell Crews"
	version = "0.6"
	reference = "http://www.exploit-db.com/exploits/24905/"
	date = "08/19/2014"
strings:
	$s1 = "v0pCr3w"
	$s2 = "BENJOLSHELL"
	$s3 = "EgY_SpIdEr"
	$s4 = "<title>HcJ"
	$s5 = "0wn3d"
	$s6 = "OnLy FoR QbH"
	$s7 = "wSiLm"
	$s8 = "b374k r3c0d3d"
	$s9 = "x'1n73ct|d"
	$s10 = "## CREATED BY KATE ##"
	$s11 = "Ikram Ali"
	$s12 = "FeeLCoMz"
	$s13 = "s3n4t00r"
	$s14 = "FaTaLisTiCz_Fx"
	$s15 = "feelscanz.pl"
	$s16 = "##[ KONFIGURASI"
	$s17 = "Created by Kiss_Me"
	$s18 = "Casper_Cell"
	$s19 = "# [ CREWET ] #"
	$s20 = "BY MACKER"
	$s21 = "FraNGky"
	$s22 = "1dt.w0lf"
	$s23 = "Modification By iFX"
	$s24 = "Dumped by C99madShell.SQL"
	$s25 = "Hacked By Alaa"
	$s26 = "XXx_Death_xXX"
	$s27 = "zehir3"
	$s28 = "zehirhacker"
	$s29 = "Shell Tcrew"
	$s30 = "w4ck1ng"
	$s31 = "TriCkz"
	$s32 = "TambukCrew"
	$s33 = "Dumped by c100.SQL"
	$s34 = "Hacker By Task QQ"
	$s35 = "JyHackTeam"
	$s36 = "byMesaj"
	$s37 = "by STHx"
	$s38 = "hacker!@#"
	$s39 = "Fucked by 7sign"
	$s40 = "Hacked By:NsQk"
	$s41 = "Ch1na HLD Secur1ty Team"
	$s42 = "hackxsy.net"
	$s43 = "[Black Tie]"
	$s44 = "[ Black Tie ]"
	$s45 = "X4ck By Death"
	$s46 = "Recoded bY 0x14113"
	$s47 = "0x14113_Server Shell"
	$s48 = "BY 0x14113"
	$s49 = "[ 0x14113 ASP Shell ]"
	$s50 = "ASP Shell"
	$s51 = "Hacked by @iSecGroup"
	$s52 = "@iSecGroup"
	$s53 = "Lulzsecroot"
	$s54 = "KingDefacer"
	$s55 = "Turkish H4CK3RZ"
	$s56 = "by q1w2e3r4"
	$s57 = "By Ironfist"
	$s58 = "AK-74 Security"
	$s59 = "ak74-team.net"
	$s60 = "ANTICHAT.RU" nocase
	$s61 = "ADMINSTRATORS TOOLKIT"
	$s62 = "ASPSpyder"
	$s63 = "Shell v 2.1 Biz"
	$s64 = "Ayyildiz Tim"
	$s65 = "b374k"
	$s66 = "Cool Surfer"
	$s67 = "vINT 21h"
	$s68 = "c0derz shell"
	$s69 = "Emperor Hacking TEAM"
	$s70 = "Comandos Exclusivos"
	$s71 = "Gamma Group"
	$s72 = "GFS Web-Shell"
	$s73 = "Group Freedom Search"
	$s74 = "h4ntu shell"
	$s75 = "powered by tsoi"
	$s76 = "SaNaLTeRoR"
	$s77 = "inDEXER"
	$s78 = "ReaDer"
	$s79 = "JspWebshell"
	$s80 = "zero.cnbct.org"
	$s81 = "Aventis KlasVayv"
	$s82 = "KlasVayv" nocase
	$s83 = "TurkGuvenligi"
	$s84 = "BLaSTER"
	$s85 = "lama's'hell"
	$s86 = "Liz0ziM"
	$s87 = "Loader'z WEB Shell"
	$s88 = "Loader Pro-Hack.ru"
	$s89 = "D3vilc0de"
	$s90 = "lostDC shell"
	$s91 = "MAX666"
	$s92 = "Hacked by Silver"
	$s93 = ".:NCC:."
	$s94 = "National Cracker Crew"
	$s95 = "n-c-c.6x.to"
	$s96 = "Cr4sh_aka_RKL"
	$s97 = "PHANTASMA"
	$s98 = "NeW CmD"
	$s99 = "z0mbie"
	$s100 = "phpRemoteView"
	$s101 = "php.spb.ru"
	$s102 = "Kodlama by BLaSTER"
	$s103 = "HolyDemon"
	$s104 = "infilak"
	$s105 = "Rootshell"
	$s106 = "hiddenshell"
	$s107 = "Iranian Hackers"
	$s108 = "G-Security"
	$s109 = "by DK"
	$s110 = "Simorgh"
	$s111 = "SimShell"
	$s112 = "AventGrup"
	$s113 = "Sincap"
	$s114 = "zyklon"
	$s115 = "lovealihack"
	$s116 = "alihack"
condition:
	not uint16(0) == 0x5A4D and any of ($s*)
}
rule basickeyword {
	strings:
		$s0 = "小组" wide ascii
		$s37 = {D0 A1 D7 E9}	//"小组"GB2312对应的16进制
		$s1 = "whoami" fullword nocase wide ascii
		$s2 = "专用大马" fullword wide ascii
		$s38 = {D7 A8 D3 C3 B4 F3 C2 ED}	//"专用大马"GB2312对应的16进制
		$s3 = "WShell.Reg" fullword wide ascii
		$s4 = "马的内容" fullword wide ascii
		$s39 = {C2 ED B5 C4 C4 DA C8 DD}	//"马的内容"GB2312对应的16进制
		$s5 = "绝对路径" fullword wide ascii
		$s40 = {BE F8 B6 D4 C2 B7 BE B6}	//"绝对路径"GB2312对应的16进制
		$s6 = "cmd.exe" fullword wide ascii	
		$s7 = "免杀" wide ascii
		$s41 = {C3 E2 C9 B1}	//"免杀"GB2312对应的16进制
		$s8 = "Payload" wide ascii	
		$s9 = "XP_CmdShell" fullword nocase wide ascii
		$s10 = "wscript.shell" fullword nocase wide ascii
		$s11 = "Xp_Regwrite" fullword nocase wide ascii
		$s12 = "sp_configure" fullword nocase wide ascii
		$s13 = "劫持" wide ascii
		$s42 = {BD D9 B3 D6}	//"劫持"GB2312对应的16进制
		$s14 = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_execute|call_user_func(_array)?)\s*\(/ wide ascii
        $s15 = "本程序目录" wide ascii
		$s43 = {B1 BE B3 CC D0 F2 C4 BF C2 BC}	//"本程序目录"GB2312对应的16进制
		$s16 = "/etc/passwd" wide ascii
		$s17 = "cmd /c" wide ascii
		$s18 = "Serv-U" fullword nocase wide ascii
		$s19 = "PcAnywhere" fullword nocase wide ascii
		$s20 = "提权" fullword wide ascii
		$s44 = {CC E1 C8 A8}	//"提权"GB2312对应的16进制
		$s21 = "打包" fullword wide ascii
		$s45 = {B4 F2 B0 FC}	//"打包"GB2312对应的16进制
		$s22 = "挂马" fullword wide ascii
		$s46 = {B9 D2 C2 ED}	//"挂马"GB2312对应的16进制
		$s23 = "cmdshell" fullword nocase wide ascii
		$s24 = "进程" fullword wide ascii
		$s47 = {BD F8 B3 CC}	//"进程"GB2312对应的16进制
		$s25 = "WSCRIPT.NETWORK" fullword wide ascii
		$s26 = "回显" fullword wide ascii
		$s48 = {BB D8 CF D4}	//"回显"GB2312对应的16进制
		$s27 = "DDoS" fullword wide ascii
		$s28 = "木马" fullword wide ascii
		$s49 = {C4 BE C2 ED}	//"木马"GB2312对应的16进制
		$s29 = "IIS帐户" fullword nocase wide ascii
		$s50 = {49 49 53 D5 CB BB A7}	//"IIS帐户"GB2312对应的16进制
		$s30 = "命令执行" fullword wide ascii
		$s51 = {C3 FC C1 EE D6 B4 D0 D0}	//"命令执行"GB2312对应的16进制
		$s31 = "暴力破解" fullword wide ascii
		$s52 = {B1 A9 C1 A6 C6 C6 BD E2}	//"暴力破解"GB2312对应的16进制
		$s32 = "攻击" wide ascii
		$s53 = {B9 A5 BB F7}	//"攻击"GB2312对应的16进制
		$s33 = "rootkit" fullword nocase wide ascii
		$s34 = "server=localhost;UID=sa" fullword nocase wide ascii
		$s35 = "xplog70.dll" fullword nocase wide ascii
		$s36 = "net user" fullword nocase wide ascii
		$s54 = { 4675636b }			//Fuck
	condition:
		filesize < 10MB and (uint16(0) == 0x3f3c or uint16(0) == 0x4850 or uint16(0) == 0x4b50 or uint16(0) == 0x253c or uint16(0) == 0x4b50 or uint16(0) == 0x696c or uint16(0) == 0x6553 or uint16(0) == 0x7473 or uint16(0) == 0x5A4D) and 2 of them
}
rule basickeyword2 {
    strings:
		$s0 = "getruntime().exec" fullword nocase wide ascii
		$s1 = "strrev" fullword nocase wide ascii
		$s2 = "FromBase64String" fullword nocase wide ascii
		$s3 = "cmdexec" fullword nocase wide ascii
		$chr = /\$[^=]+=[\t ]*(chr\([0-9]+\)\.?){3,}/
		$ = /LANGUAGE\s*=\s*VBScript.Encode/ nocase
		$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719  
		$basedir_bypass = /curl_init\s*\(\s*["']file:\/\// nocase    
    condition:
		filesize < 10MB and (uint16(0) == 0x3f3c or uint16(0) == 0x4850 or uint16(0) == 0x4b50 or uint16(0) == 0x253c or uint16(0) == 0x4b50 or uint16(0) == 0x696c or uint16(0) == 0x6553 or uint16(0) == 0x7473 or uint16(0) == 0x5A4D) and 2 of them
}
rule basickeyword3 {
    strings:
		$s0 = /@eval\s*\(/ nocase
		$s1 = "passthru" fullword nocase
		$s2 = "shell_exec" fullword nocase		
		$s3 = "echo base64_decode($" fullword nocase
		$s4 = "chunk_split(base64_encode(" fullword nocase
        $s5 = "socket_write" fullword nocase
        $s6 = "gzinflate" fullword nocase
        $s7 = "chown" fullword nocase
        $s8 = "str_rot13" fullword nocase
        $s9 = "symlink" fullword nocase
        $s10 = "proc_close" fullword nocase
        $s11 = "fpassthru" fullword nocase
        $s12 = "socket_listen" fullword nocase
        $s13 = "pnctl_exec" fullword nocase
        $s14 = "expect_popen" fullword nocase
        $var_as_func = /\$_(GET|POST|COOKIE|REQUEST|SERVER)\s*\[[^\]]+\]\s*\(/	
		$ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
		$asp = "scripting.filesystemobject" nocase
	    $ini_get = /ini_(get|set|restore)\s*\(\s*['"](open_basedir|safe_mode_exec_dir|safe_mode_include_dir|allow_url_include)/ nocase
		$disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase
		$pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
		$concat_with_spaces = /(\$[^\n\r]+\. ){5}/  // concatenation of more than 5 words, with spaces		
    condition:        
		filesize < 10MB and (uint16(0) == 0x3f3c or uint16(0) == 0x4850 or uint16(0) == 0x4b50 or uint16(0) == 0x253c or uint16(0) == 0x4b50 or uint16(0) == 0x696c or uint16(0) == 0x6553 or uint16(0) == 0x7473 or uint16(0) == 0x5A4D) and 3 of them
}
rule checkwriteable {
    strings:
		$s1 = "可写" wide ascii
		$s14 = {BF C9 D0 B4}	//"可写"GB2312对应的16进制
		$s2 = "System.Text.RegularExpressions" fullword nocase
		$s3 = "临时目录" wide ascii		
		$s15 = {C1 D9 CA B1 C4 BF C2 BC}	//"临时目录"GB2312对应的16进制
		$s4 = "objFSO.FileExists" fullword nocase
        $s5 = "FSO.FolderExists" fullword nocase		
        $s6 = "fso.createTextFile" fullword nocase		
        $s7 = "showobjpath" fullword nocase		
        $s8 = "StrReverse" fullword nocase		
        $s9 = "RndNumber" fullword nocase		
        $s10 = "phpinfo()" fullword nocase		
        $s11 = "不可读" fullword nocase		
		$s15 = {B2 BB BF C9 B6 C1}	//"不可读"GB2312对应的16进制
        $s12 = "ReWrStr" fullword nocase		
        $s13 = "CheckDirIsOKWrite" fullword nocase		
    condition:
		3 of them
}
rule reGeorge {
    strings:
		$s0 = "System.Net.Sockets" fullword nocase
		$s1 = "reGeorg" fullword nocase
		$s2 = "php_sockets.dll" fullword nocase		
		$s3 = "sock.recv" fullword nocase
		$s4 = "X-TARGET" fullword nocase
		$s5 = "response.getheader" fullword nocase
		$s6 = "X-STATUS" fullword nocase
		$s7 = "X-ERROR" fullword nocase
		$s8 = "X-CMD" fullword nocase				
    condition:
		2 of them
}
rule Then {
    strings:
		$s0 = "execute session" fullword nocase
        $s1 = "Execute(Request" fullword nocase
    condition:
		2 of them
}
rule SaveAs {
    strings:
		$s0 = "Request.Files.Count" fullword nocase
        $s1 = "SaveAs" fullword nocase
        $s2 = "Server.MapPath" fullword nocase
    condition:
		all of them
}
rule BypassSafeDog {
    strings:
		$s0 = "eval" fullword nocase
		$s1 = "exs" fullword nocase
		$s2 = "dec" fullword nocase
    condition:
		all of them
}
rule Online_Obfuscator {
    strings:
		$s0 = "eval" fullword nocase
		$s1 = "Obfuscator" fullword nocase
		$s2 = "Checksum" fullword nocase
		$s3 = "phpjm" fullword nocase
    condition:
		3 of them
}
rule CN_Honker_Webshell_ModifyChopperVariation {
	meta:
		description = "ModifyChopperVariation"
		author = "hos@ysrc"
		date = "2016-12-31"
	strings:
	    $0 = "eval(\"e\"&\"v\"&\"a\"&\"l\"&\""  fullword ascii
		$1 = "eval(eval("  fullword nocase ascii
		$2 = "+x-+ACI-c+ACI)+x-" fullword nocase ascii
		$3 = "e+x-v+x-a+x-l" fullword nocase ascii
	condition:
        filesize < 200KB and 1 of them	
}
rule execution {
	strings:
	    $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase  // function that takes a callback as 1st parameter
		$execution2 = /(array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // functions that takes a callback as 2nd parameter
		$execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase  // functions that takes a callback as 2nd parameter
	condition:
        1 of them	
}
rule mo{
	strings:
        $re1 = /((eval|eval_r|ExecuteGlobal)\s*?\(?request)/			//ASP一句话((?:eval|eval_r|execute|ExecuteGlobal)\s*?\(?request)
		$re2 = /((exec|edoced_46esab|eval|eval_r|system|proc_open|popen|curl_exec|curl_multi_exec|parse_ini_file|show_source|assert)\s*?\(\S*\$(_POST|_GET|_REQUEST|GLOBALS))/		//php一句话((?:exec|base64_decode|edoced_46esab|eval|eval_r|system|proc_open|popen|curl_exec|curl_multi_exec|parse_ini_file|show_source|assert)\s*?\(\$(?:_POST|_GET|_REQUEST|GLOBALS))
		$re3 = /((_POST|_GET|_REQUEST|GLOBALS)\[(.*?)\]\(\$(_POST|_GET|_REQUEST|GLOBALS))/			//php一句话((?:_POST|_GET|_REQUEST|GLOBALS)\[(?:.*?)\]\(\$(?:_POST|_GET|_REQUEST|GLOBALS))
		$re4 = /write\(request\.getParameter/									//JSP一句话write\(request\.getParameter
		//$re5 = /((eval|eval_r|execute|ExecuteGlobal).*?request)/		
		//误报较多已注释ASPX一句话((?:eval|eval_r|execute|ExecuteGlobal).*?request)
		$re6 = /SaveAs\(\s*?Server\.MapPath\(\s*?Request/		//ASPX一句话SaveAs\(\s*?Server\.MapPath\(\s*?Request

    condition:
        not whitelist and 1 of them	
}
rule magicword1  {
    strings:
        $s0 = "md5-cryped" fullword nocase wide ascii
        $s1 = "5201314" fullword nocase wide ascii
        $s2 = "changeme" fullword nocase wide ascii
        $s3 = "whoamI" fullword nocase wide ascii
        $s4 = "592714" fullword nocase wide ascii
        $s5 = "admin!@#" fullword nocase wide ascii
        $s6 = "r00t" fullword nocase wide ascii
        $s7 = "hacker" fullword nocase wide ascii
        $s8 = "size='25'" fullword nocase wide ascii
        $s9 = "lucifer" fullword nocase wide ascii
        $s10 = "zaq1@WSXcde3" fullword nocase wide ascii
        $s11 = "a1b2c3a4" fullword nocase wide ascii
        $s12 = "admin$" fullword nocase wide ascii
        $s13 = "012457" fullword nocase wide ascii
        $s15 = "rinima" fullword nocase wide ascii
        $s16 = "lol" fullword nocase wide ascii
        $s17 = "hehe" fullword nocase wide ascii
        $s18 = "1q1q1q" fullword nocase wide ascii
        $s19 = "5065338" fullword nocase wide ascii
        $s20 = "nohack" fullword nocase wide ascii
        $s21 = "584521" fullword nocase wide ascii
        $s22 = "sqlpass" fullword nocase wide ascii
        $s23 = "8013520" fullword nocase wide ascii
        $s24 = "noid" fullword nocase wide ascii
        $s25 = "45189946" fullword nocase wide ascii
        $s26 = "13141234567" fullword nocase wide ascii
        $s27 = "tt1234" fullword nocase wide ascii
        $s28 = "156156" fullword nocase wide ascii
        $s29 = "520520" fullword nocase wide ascii
    condition:
		filesize < 10MB and (uint16(0) == 0x3f3c or uint16(0) == 0x4850 or uint16(0) == 0x4b50 or uint16(0) == 0x253c or uint16(0) == 0x4b50 or uint16(0) == 0x696c or uint16(0) == 0x6553 or uint16(0) == 0x7473 or uint16(0) == 0x5A4D) and 2 of them
}
rule magicword2  {
    strings:
		$s0 = "bdbca288fee7f92f2bfa9f7012727740" fullword nocase wide ascii
		$s1 = "1a1dc91c907325c69271ddf0c944bc72" fullword nocase wide ascii
        $s2 = "0de664ecd2be02cdd54234a0d1229b43" fullword nocase wide ascii
		$s3 = "a619d974658f3e749b2d88b215baea46" fullword nocase wide ascii
		$s4 = "8634361d1a2e44420f44ef3612706bb5" fullword nocase wide ascii
		$s5 = "47e331d2b8d07465515c50cb0fad1e5a" fullword nocase wide ascii
		$s6 = "081322851bd264a2702f1169aad42129" fullword nocase wide ascii
		$s7 = "63a9f0ea7bb98050796b649e85481845" fullword nocase wide ascii
		$s8 = "ec371748dc2da624b35a4f8f685dd122" fullword nocase wide ascii
		$s9 = "7fea0708f4bc4266ab5efcd242028106" fullword nocase wide ascii
		$s10 = "11f942ba7f384ddcc245810b87f659d5" fullword nocase wide ascii
		$s11 = "21232f297a57a5a743894a0e4a801fc3" fullword nocase wide ascii
		$s12 = "2cf1656ed3df6864df08feaf603ebe13" fullword nocase wide ascii
		$s13 = "8f841a9b44b0167db6056389e0106af4" fullword nocase wide ascii
		$s14 = "7c3b55841ea9fb990c33b85c6b93b35f" fullword nocase wide ascii
		$s15 = "e8ff7d8d7a49a969a2cb8502eded9d79" fullword nocase wide ascii
		$s16 = "571df1818893b45ad4fd9697b55b3679" fullword nocase wide ascii
		$s17 = "7c7f0f5f0f9e774ec437e1077e6c84a7" fullword nocase wide ascii
		$s18 = "fb621f5060b9f65acf8eb4232e3024140dea2b34" fullword nocase wide ascii
    condition:
		1 of them
}
rule magicword3  {
    strings:
        $s0 = "b374k" fullword nocase wide ascii
        $s1 = "yuemo" fullword nocase wide ascii
        $s2 = "sysy" fullword nocase wide ascii
        $s3 = "t00ls.org" fullword nocase wide ascii
        $s4 = "mumaasp" fullword nocase wide ascii
        $s5 = "danmo" fullword nocase wide ascii
        $s6 = "jspspy" fullword nocase wide ascii
        $s7 = "serwansz" fullword nocase wide ascii
        $s8 = "silic" fullword nocase wide ascii
        $s9 = "smowu" fullword nocase wide ascii
        $s10 = "k8team" fullword nocase wide ascii
        $s11 = "Forjj" fullword nocase wide ascii
        $s12 = "JspSpyPwd" fullword nocase wide ascii
        $s13 = "icesword" fullword nocase wide ascii
        $s14 = "darkst" fullword nocase wide ascii
		$s15 = "mmym" fullword nocase wide ascii
        $s16 = "wrsk" fullword nocase wide ascii
        $s17 = "hkmm" fullword nocase wide ascii
        $s18 = "ceshi2009" fullword nocase wide ascii
		$s19 = "k1r4" fullword nocase wide ascii
        $s20 = "N3t" fullword nocase wide ascii
        $s21 = "shellci.biz" fullword nocase wide ascii
        $s22 = "nst666" fullword nocase wide ascii
        $s23 = "KingDefacer" fullword nocase wide ascii
        $s24 = "7jyewu" fullword nocase wide ascii
        $s25 = "MyPaSsWoRd" fullword wide ascii
        $s26 = "nian1106" fullword nocase wide ascii
        $s27 = "egy_spider" fullword nocase wide ascii
        $s28 = "devilzc0der" fullword nocase wide ascii
        $s29 = "xfgSS" fullword nocase wide ascii
        $s30 = "$WinNT=1" fullword nocase wide ascii
        $s31 = "mr.wei" fullword nocase wide ascii
        $s32 = "baojuhua" fullword nocase wide ascii
        $s33 = "rjmJsp" fullword nocase wide ascii
		$s34 = "phpshell" fullword nocase wide ascii
        $s35 = "kj021320" fullword nocase wide ascii
        $s36 = "seo0510" fullword nocase wide ascii
    condition:
		filesize < 10MB and (uint16(0) == 0x3f3c or uint16(0) == 0x4850 or uint16(0) == 0x4b50 or uint16(0) == 0x253c or uint16(0) == 0x4b50 or uint16(0) == 0x696c or uint16(0) == 0x6553 or uint16(0) == 0x7473 or uint16(0) == 0x5A4D) and 1 of them
}

